1. Field of the Invention
The present invention relates to methods and apparatus for providing remote user authentication in a public network. More particularly, the present invention provides methods and apparatus for remote authentication using a one-time password scheme having a secure out-of-band channel for initial password delivery.
2. Art Background
Over the past few years, the networking of computers for electronic mail ("e-mail") communication and dam transfer has grown from simple local area networks to a global network referred to as the "Internet". The Internet comprises a spiderweb of networks which criss-cross the globe and permit users to send and receive e-mail messages, transfer data and access remote data bases between computers coupled to servers. In addition to fixed positions on the Internet, computer systems, such as for example, lap top computers, may be physically moved from one location on the network to another. Wireless links coupling the computers to the Internet, such as direct satellite links, also permit users to access the Internet from remote areas.
As the number of users on the Internet has grown, so have concerns regarding network security. Many businesses and government organizations utilize the Internet for the transfer of business information, government project data and other information which may be considered confidential. Due to the size and complexity of the Internet, the opportunity for an intruder to intercept messages and gain access to confidential information has become a significant concern. The Internet community has established message encryption and authentication procedures for Internet electronic mail. These encryption and authentication procedures are known as privacy enhanced mail (PEM). The PEM protocol establishes procedures to provide for enhanced privacy in e-mail services over the Internet. The PEM protocol is intended to be compatible with a wide range of key management approaches including symmetric (secret key) and asymmetric (public key) approaches for the encryption of data encrypting keys. Privacy enhanced mail services assure message integrity, and are offered through the use of end-to-end cryptography between originator and recipient processes at or above the user level. No special processing requirements are imposed on the message transfer system at endpoints, or at intermediate relay sites on the Internet. The reader is referred to the PEM RFC documents and incorporated herein by reference, entitled: "Privacy Enhancement for Internet Electronic Mail", Parts I-IV, RFCS 1421-1424, available on the Internet at home/internet/rfcs on files rfc1421-rfc1424 (hereinafter at times referred to as "PEM Protocols").
However, although privacy enhanced mail service is available on the Internet, all current applications on the Internet (commonly referred to as "legacy" applications), such as Telnet, File Transfer Protocol ("ftp"), and the like, use simple authentication having reusable passwords. Although it is generally understood that strong authentication using crypto-techniques would provide enhanced password security on the Internet, retrofitting the existing installed base of network applications with such a strong authentication mechanism would take some period of time. In the interim, an intruder can monitor the network and intercept passwords transmitted over the Internet. Since all passwords are currently transmitted from user to a remote server in unencrypted ("clear") form, Internet users are vulnerable to an intruder determining their password, and later logging on to a server utilizing the stolen password of a legitimate user. In fact, there have been cases where intruders have tapped the Internet at well known public sites and have accumulated literally thousands of legitimate valid passwords. Thus, the Internet must be viewed as a large insecure channel in which passwords are transmitted in the clear, and may be acquired by unauthorized parties.
As will be described, the present invention provides methods and apparatus to permit an Internet user to acquire a password which is good for only a one time use. Through the use of the existing privacy enhanced mail system on the Internet, the present invention ensures that only the legitimate user can gain access to the password. Moreover, as will be described, the present invention does not require the retrofitting of existing applications and computers with a strong authentication mechanism.